[lug] Interesting .htpasswd "feature"
rm at fabula.de
rm at fabula.de
Thu Oct 11 13:56:09 MDT 2001
On Thu, Oct 11, 2001 at 01:20:38PM -0600, Scott A. Herod wrote:
> Is it just using the first 8 characters? I think even telnet only uses
> 8 so for example, I can mistype the last two characters of my 10
> character
> password and still log in.
This is neither telnet nor apache but a 'feature' of Unix' crypt(3)
function (exported by libcrypt). This library will take a password
and an encryption 'salt' and return a 13 character ASCII string with
the first two characters being the salt value. The standard algoithm
also only uses the lower 7 bits of each character. You (or the program)
can ask the library to use the more modern/secure MD5 algorithm by
giving the special salt value '$1$' + 8 chars. MD5 passwords can be
longer than 8 chars and are generally considered more secure.
Ralf Mattes
> Scott
>
> Justin wrote:
> >
> > I tested this on Apache 1.3.20 and I got the same thing. Put in my
> > login name and my password plus a couple keyboard mashes and it logged
> > in fine. Dunno how someone could abuse this though cause they would
> > still need the real password...definitely interesting though.
> >
> > Justin
> >
> > > Check this out:
> > >
> > > If you .htpasswd a directory/site with apache 1.3.19, log in
> > with the
> > > correct username and (password + any characters thereafter) you will
> > be
> > > logged in. I tried this "feature" with apache 1.3.12 and it didn't
> > work.
> > > This seems kind of stupid since somebody doesn't have to use the
> > exact
> > > password when the log in to the site you are protecting. If you
> > password
> > > was ABCDEF and somebody tried the entire alphabet as a password they
> > would
> > > be allowed in. How odd. I wonder if it's just my machine. Can
> > anybody
> > > else confirm this?
> > >
> > > Greg
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list